To protect the securities market from cyber threats, regulator Sebi on Monday asked stock exchanges and other key entities to put in place necessary framework to safeguard systems, networks and databases from such attacks.
Asking all exchanges, clearing corporations and depositories to implement necessary changes within six months, Sebi said these Market Infrastructure Institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions of trading, clearing and settlement in securities market.
"As part of the operational risk management framework to manage risk to systems, networks and databases from cyber attacks and threats, MII should formulate a comprehensive cyber security and cyber resilience policy document" to put in place such a framework, Sebi said in a circular.
Identifying cyber crime as a major threat, Sebi Chairman U K Sinha recently said such attacks are occurring these days in a more sophisticated manner while he also raised concerns about the state-sponsored cyber attacks from abroad.
"We are worried over state-sponsored cyber attacks. There are worries that the vulnerability in markets are increasing. We need to create a framework for future plan of action on securities market resilience," he had said. In its today's circular, Sebi also asked MIIs to restrict access controls, whenever necessary. "No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities.
"MII should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users)," it said.
The exchanges and other MIIs would also have to submit quarterly reports to Sebi, containing information on cyber attacks and threats experienced by them and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs, vulnerabilities and threats that may be useful for other MIIs.
Sebi also asked the MIIs to share the useful details among themselves "in masked and anonymous manner" using a mechanism to be specified by the regulator from time to time.
The regulator further asked MIIs to identify critical assets based on their sensitivity and criticality for business operations, services and data management.
"To this end, MII should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows."
The regulator also asked MIIs to identify cyber risks (threats and vulnerabilities) that they may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality.
"MII should also encourage its third-party providers, such as service providers, stock brokers, depository participants, etc to have similar standards of Information Security," it said.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
